Protocols Susceptible to Sniffing

Once you figure out how to start looking at all those packets you’re pulling in (and we’ll get to that in a minute), you may start asking yourself which ones are more important than others. I mean, there are tons of the things. Millions of them. Billions. Surely some of them are more important than others, right? Well, this is where knowing how protocols work on a network comes into play.

Some protocols in the upper layers are important for an ethical hacker to pay attention to—mainly because of their simplicity. When you think about an Application layer protocol, remember it normally relies on other protocols for almost everything else except its sole, primary purpose. For example, consider Simple Mail Transport Protocol (SMTP). SMTP was designed to do one thing: carry an e-mail message. It doesn’t know anything about IP addressing or encryption or how big the network pipe is; its only concern is packaging ASCII characters together to be given to a recipient. Because it was written to carry nothing but ASCII, there is virtually no security built into the protocol at all. In other words, unless encryption is added at another layer, everything sent via SMTP is sent as clear text, meaning it can be easily read by someone sniffing the wire. Now, SMTP is on version 3 (SMTPv3), so not all SMTP packets will provide the detail you’re looking for, but I’m sure you catch the drift.

Are there other Application-layer protocols to pay attention to? You bet your Manwich there are. For example, although FTP requires a user ID and password to access the server (usually), the information is passed in clear text over the wire. TFTP passes everything in clear text, and you can pull keystrokes from a sniffed Telnet session (user name and password, anyone?). SNMPv1 and NNTP send their passwords and data over clear text, as do IMAP and POP3. And HTTP? Don’t get me started, what with all the data that one sends in the clear. Several Application-layer protocols have information that’s readily available to captured traffic—you just need to learn where to look for it. Sometimes data owners will use an insecure application protocol to transport information that should be kept secret. Sniffing the wire while these clear-text messages go across will display all that for you.

Protocols at the Transport and Network layers can also provide relevant data. TCP and UDP work in the Transport layer and provide the port numbers that both sides of a data exchange are using. TCP also adds sequence numbers, which will come into play later, during session hijacking. IP is the protocol working at the Network layer, and there is a load of information you can glean just from the packets themselves (see Figure 4-2). An IP packet header contains, of course, source and destination IP addresses. However, it also holds information such as the quality of service for the packet (Type of Service field) and information on fragmentation of packets along the way (Identification and Fragment Offset fields), which can prove useful in crafting your own fragmented packets later.

Figure 4-2. IP packet header

Address Resolution Protocol (ARP)

We’ve spent a little time covering some base information you’ll need regarding Application, Transport, and Network layer protocols, but the Data Link layer is going to be a huge area of focus for the sniffing portion of your exam (not to mention your success in sniffing). Frames are built in the Data Link layer, and that’s where all your local addressing happens. And how, pray tell, do systems discover the local, physical (MAC) address of other machines they wish to communicate with? By asking, of course, and they ask with a little protocol called Address Resolution Protocol (ARP).

ARP’s entire purpose in life is to resolve IP addresses to machine (MAC) addresses. As noted earlier, while each IP packet provides the network address (needed to route the packet across different networks to its final destination), the frame must have a MAC address of a system inside its own subnet to deliver the message. So as the frame is being built inside the sending machine, the system sends an ARP_REQUEST to find out what MAC address inside the subnet can process the message. Basically, it asks the entire subnet, via a broadcasted message, “Does anyone have a physical address for the IP address I have here in this packet? If so, please let me know so I can build a frame and send it on.” If a machine on the local subnet has that exact IP, it will respond with an ARP_REPLY directly to the sender, saying “Why yes, I’m the holder of that IP address, and my MAC address is _macaddress_.” The frame can then be built and the message sent.

Sometimes, though, the message is not intended for someone in your network segment. Maybe it’s a packet asking for a web page, or an e-mail being sent to a server somewhere up the Net, or maybe even a packet intended to start another yelling contest on Facebook. In any case, if the IP address of the packet being sent is not inside the same subnet, or is not already present in some fashion in your route table (that is, there’s no specific route previously defined for the address), the route table on your host already knows the packet should be sent to the default gateway. (The default gateway is also known as the “route of last resort,” and is, generally speaking, your local router port). If it doesn’t happen to remember the default gateway’s MAC address, it’ll send out a quick ARP request to pull it. Once the packet is properly configured and delivered to the default gateway, the router will open it, look in the route table, and build a new frame for the next subnet along the route path. As it builds that frame, it will send another ARP request: “Does anyone have a physical address for the IP address I have here in this packet? If so, please let me know so I can build a frame and send it on.” This continues on each subnet until the packet finds its true destination.

Want to know another interesting thing about ARP? The protocol retains a cache on machines as it works—at least, in many implementations it does. This really makes a lot of sense when you think about it—why make repeated ARP requests for machines you constantly talk to? To see this in action, you can use the ping, arp, and netsh commands on your Windows machine. The command arp -a will display your current ARP cache—you can see all the IP-to-MAC mappings your system knows about. Next, enter either arp -d * or netsh interface ip delete arpcache. Try arp -a again, and you’ll see your cache cleared. Refill it on the fly by pinging anything on your network. For example, I pinged a laptop over in the corner with an address of 192.168.0.3. It responded, and my ARP cache has a new entry (see Figure 4-3). Try it yourself on your network.

Figure 4-3. ARP cache

There are a couple of other relevant notes on ARP. First, the protocol works on a broadcast basis. In other words, requests (“Does anyone have the MAC for this IP address?”) and replies (“I do. Here’s my physical address—please add it to your cache”) are broadcast to every machine on the network. Second, the cache is dynamic—that is, the information in it doesn’t stay there forever, and when your system gets an updated ARP message, it will overwrite the cache with the new information. Suppose, for example, Machine A shuts down for a while and sends no further messages. Eventually, all system caches will delete its entry, almost as if it never existed. Suppose also that Machine B changes its NIC and now has a new MAC address. As soon as it sends its first ARP message, all systems on the network receiving it will update their caches with this new MAC address.

All of this is interesting information, but just how does it help a hacker? Well, if you put on your logical thinking cap, you’ll quickly see how it could be a veritable gold mine for your hacking efforts. A system on your subnet will build frames and send them out with physical address entries based on its ARP cache. If you were to somehow change the ARP cache on Machine A and alter the cached MAC address of Machine B to your system’s MAC, you would receive all communication Machine A intends to send to Machine B. Suppose you go really nuts and changed the ARP entry for the default gateway on all systems in your subnet to your own machine. Now you’re getting all messages everyone was trying to send out of the local network, often the Internet. Interested now?

Attackers can do this by sending something called a gratuitous ARP. It is a special packet that updates the ARP caches of other systems before they even ask for it—in other words, before they send an ARP_REQUEST. Its original intent when created was to allow updates for outdated information, which helps with things like IP conflicts, clustering, and other legitimate issues. In our world of hacking, though, it’s easy to see where that could be taken advantage of.

IPv6

Another discussion point of great importance in sniffing (and really all things hacking) is IP version 6. As you’re no doubt aware, IPv6 is the “next generation” of Internet Protocol addressing. It offers a whole new world of interesting terms and knowledge to memorize for your exam (and your job). Because you’re already an IPv4 expert and know all about the 32-bit address, which is expressed in decimal and consists of four octets, we’ll focus a little attention on IPv6 and some things you may not know.

IPv6 was originally engineered to mitigate the coming disaster of IPv4 address depletion (which, of course, didn’t happen as quickly as everyone thought, thanks to network address translation and private networking). It uses a 128-bit address instead of the 32-bit IPv4 version and is represented as eight groups of four hexadecimal digits separated by colons (for example, 2002:0b58:8da3:0041:1000:4a2e:0730:7443). Methods of abbreviation do exist, however, making this overly complex-looking address a little more palatable. Leading zeroes from any groups of hexadecimal digits can be removed, and consecutive sections of zeroes can be replaced with a double colon (::). This is usually done to either all or none of the leading zeroes. For example, the group 0054 can be converted to 54.

Despite the overly complex appearance of IPv6 addressing, its design actually reduces router processing. The header takes up the first 320 bits and contains source and destination addresses, traffic classification options, the hop count, and extension types. Referred to as Next Header, this extension field lets the recipient know how to interpret the data payload. In short, among other things, it points to the upper-layer protocol carried in the payload. Figure 4-4 shows an IPv6 packet header.

Figure 4-4. IPv6 packet

As with IPv4, which has unicast, multicast, and broadcast, IPv6 has its own address types and scopes. Address types include unicast, multicast, and anycast, and the scopes for multicast and unicast include link local, site local, and global. The good old broadcast address, which in IPv4 was sent to all hosts in a network segment, is no longer used. Instead, multicast functions, along with scope, fulfill that necessity. Table 4-1 details address types and scopes.

Addressing in IPv6 isn’t too terribly difficult to understand, but scope adds a little flair to the discussion. Unicast is just like IPv4 (addressed for one recipient) and so is multicast (addressed for many), but anycast is an interesting addition. Anycast works just like multicast; however, whereas multicast is intended to be received by a bunch of machines in a group, anycast is designed to be received and opened only by the closest member of the group. The nearest member is identified in terms of routing distance; a host two hops away is “closer” than one three hops away. Another way of saying it might be: Whereas multicast is used for one-to-many communication, anycast is used for one-to-one-of-many communication.

The scope for multicast or anycast defines how far the address can go. A link-local scope defines the boundary at the local segment, with only systems on your network segment getting the message. Anything past the default gateway won’t get it, because routers won’t forward the packets. It’s kind of like the old 169.254.1–254.0 network range: it’s intended for private addressing only. Site-local scope is much the same; however, it is defined via a site. Sites in IPv6 addressing can be a fairly confusing subject because the same rules apply as to the link-local scope (packets are not forwarded by a router). But if you’re familiar with the private address ranges in IPv4 (10.0.0.0, 172.16–32.0.0, and 192.168.0.0), the site should make sense to you. Think of it this way: link-local can be used for private networking and autoconfiguring addressing, like the out-of-the-box easy networking of the 169.254.0.0 network, while site-local is more akin to setting up your private networks using predefined ranges.

As far as IPv6 on your exam goes, again it depends on which pool your random roll of the virtual dice pulls for you. Some (most) exams won’t even mention it, whereas others will seem to treat it like one of the only topics that matter. Most IPv6-type questions are easy—as you can see from our discussion, this is mostly rote memorization. You’re not going to be asked to divine network IDs or anything like that; you’ll just be quizzed on general knowledge. It’s helpful to note, though, that IPv6 makes traditional network scanning very, very difficult—in one definition I read somewhere online, “computationally less feasible”—due to the larger address space to scan. However, should an attacker get a hold of a single machine inside a native IPv6 network, the “all hosts” link-local multicast address will prove quite handy.

Wiretapping

Finally, our last entry in fundamental sniffing concepts has to do with our friends in law enforcement and what they do in regard to sniffing. Lawful interception is the process of legally intercepting communications between two (or more) parties for surveillance on telecommunications, Voiceover IP (VoIP), data, and multiservice networks. Thankfully, none of the study material I’ve read highlights the cavalcade of related definitions and terms, so the basics here are all you need.

As an aside, but very relevant to this discussion, were you aware that the National Security Agency (NSA) wiretaps a gigantic amount of the foreign Internet traffic that just happens to come through US servers and routers? It uses a data tool called Planning Tool for Resource Integration, Synchronization, and Management (PRISM) to collect said foreign intelligence passing through Uncle Sam’s resources. I don’t know any more information on this and I don’t want to know—just making sure I cover everything here for you, dear reader.

MAC Flooding

Suppose you don’t know how to reconfigure the switch OS to set up a span port, or you just don’t have the access credentials to log in and try it. Are you out of luck? Not necessarily. Another option you have is to so befuddle and confuse the switch that it simply goes bonkers and sends all messages to all ports—and you can do this without ever touching the switch configuration. To explain how this all works, come with me on a short journey into the mind of a switch, and learn how the whole thing works with an overly simplistic, but accurate, account.

Imagine a switch comes right out of the box and gets plugged in and turned on. All these cables are connected to it, and there are computers at the end of all these cables, each with its own unique MAC address. All the switch knows is flooding or forwarding. If it receives a message that’s supposed to go to everyone (that is, a broadcast or multicast frame), the decision is easy, and it will flood that message to all ports. If the switch receives a unicast message (that is, a message with a single MAC address for delivery), and it knows which port to send it to, it will forward the frame to that single port. If it doesn’t know which port to send it to, it will flood it to all, just to be sure. Flooding all packets to every port will certainly get them where they’re going, but it’s not very efficient, so the switch was built to split collision domains and improve efficiency. Therefore, it has to learn who is on what port so it can deliver messages appropriately. To do so, it waits patiently for messages to start coming in.

The first frame arrives and it’s a doozy—a broadcast message from a computer with a MAC address of “A” attached to port 1 is sending an ARP message looking for the MAC address of another computer. The switch opens up a little virtual book and writes: “MAC A is on switchport 1—any messages I see for MAC A can be sent directly to switchport 1.” It then sends the broadcast message out to every available switchport and patiently waits to see who replies. A computer on switchport 2 answers with an ARP reply stating, “I have the IP address you’re looking for, and my MAC address is B.” The switch smiles, and adds to its little virtual notebook, “MAC B is on switchport 2—any messages I see for B can be sent directly to switchport 2.” This continues until the little virtual book has an entry for every port, and the switch hums along, happily delivering messages.

In our story here, the little virtual notebook is called the content addressable memory (CAM) table. As you can imagine, since you know how ARP works now and you know how many packets are delivered back and forth in any given second or so, the CAM table gets updated very often. And if it’s empty, or full, everything is sent to all ports.

You can use this to your advantage in sniffing by figuring out a way to consistently and constantly empty the CAM table, or by simply confusing the switch into thinking the address it’s looking for is not available in the table and thus should be sent out to all ports—including the one you’re sniffing on. This method, which doesn’t work on a lot of modern switches but is questioned repeatedly and often on your exam, is known as MAC flooding. The idea is simple: Send so many MAC addresses to the CAM table it can’t keep up, effectively turning it into a hub. Because the CAM is finite in size, it fills up fairly quickly, and entries begin rolling off the list. Etherflood and Macof are examples of tools you MAC flood with.

ARP Poisoning

Another effective active sniffing technique is called ARP poisoning (also ARP spoofing or gratuitous ARP). This refers to the process of maliciously changing an ARP cache on a machine to inject faulty entries. It’s not really that difficult to achieve. As stated earlier, ARP is a broadcast protocol. So, if Machine A is sitting there minding its own business and a broadcast comes across for Machine B that holds a different MAC address than what was already in the table, Machine A will instantly, and gladly, update its ARP cache—without even asking who sent the broadcast. To quote the characters from the movie Dude, Where’s My Car?: “Sweet!”

Because ARP works on a broadcast, the switch will merrily flood all ARP packets—sending any ARP packet to all recipients. Be careful, though, because most modern switches have built-in defenses for too many ARP broadcasts coming across the wire. (For example, you can configure Dynamic ARP Inspection using DHCP snooping inside Cisco’s IOS.) Also, administrators can use a wide variety of network monitoring tools, such as XArp, to watch for this. Some network administrators are smart enough to manually add the default gateway MAC permanently (using the command arp -s) into the ARP cache on each device. A couple of tools that make ARP flooding as easy as pressing a button are Cain and Abel, WinArpAttacker, Ufasoft, and dsniff (a collection of Linux tools that includes a tool called ARPspoof).

DHCP Starvation

Dynamic Host Configuration Protocol (DHCP) starvation is an attack whereby the malicious agent attempts to exhaust all available addresses from the server. So why is it included in a discussion regarding sniffing, while it’s more of a type of denial-of-service attack? That, dear reader, is something you’ll have to ask the certification provider, for I do not have a clue. What I do know is you need to know how DHCP works and what the attack does.

When a network is set up, the administrator has two options. The first is manually configuring (and keeping track of) IP addresses on each and every system in the network. While this does have several advantages, static addressing comes with a lot of problems—like keeping track of all those IPs, for example. Another solution, and one used on virtually every network on the planet, is handing out and monitoring all these IPs automatically. DHCP is the protocol for the job.

DHCP is actually fairly simple. A DHCP server (or more than one) on your network is configured with a pool of IP addresses. You tell it which ones it can hand out, which ones are already reserved for static systems, and how long systems can keep (or lease) the address. You assign a few other settings and then turn it loose. When a system comes on the network, it sends a broadcast message known as a DHCPDISCOVER packet, asking if anyone knows where a DHCP server is. The DHCP relay agent will respond with the server’s info and then send a DHCPOFFER packet back to the system, letting it know the server is there and available. The system then sends back a DHCPREQUEST packet, asking for an IP. In the final step, the server responds with a DHCPACK message, providing the IP and other configuration information the system needs (see Figure 4-5 for a visual of the process). An easy way to remember it all is the acronym DORA—Discover, Offer, Request, and Acknowledge.

Figure 4-5. DHCP in action

So how does DHCP starvation work? First, the attacker sends an unending stream of forged DHCP requests to the server on the subnet. The server will attempt to fill each and every request, which results in its available IP address pool running out quickly. Then any legitimate system attempting to access the subnet will be unable to pull a new IP or renew its current lease. DHCP starvation attacks can be carried out using tools such as Yersinia and DHCPstarv. Configuring DHCP snooping on your network device and setting up port security (which we’ll discuss more in the next section) are considered proper mitigations against this attack.

Spoofing

Finally, in our romp through traffic-misdirection efforts, we need to spend a little time on spoofing. Whether IP, MAC, DNS, or otherwise, spoofing is simply pretending to be an address you’re not. We’ve already mentioned spoofing in general before, so this concept shouldn’t be anything new to you.

MAC spoofing (also called MAC duplication) is a simple process of figuring out the MAC address of the system you wish to sniff traffic from and changing your MAC to match it. And just how do you change the MAC on your system? Well, there are multiple methods, depending on the OS you use, but they’re all fairly simple. In Windows 8, for instance, you can use the Advanced tab on the NIC properties and just type in whatever you want, or you can go to the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} and find the proper string to update for your NIC. If you’d rather use a tool to do it all for you, SMAC is a good bet.

When a MAC address is spoofed, the switch winds up with multiple entries in the CAM table for a given MAC address. Unless port security is turned on, the latest entry in the table is the one it will use. Port security refers to a security feature on switches that allows an administrator to manually assign MAC addresses to a specific port; if the machine connecting to the port does not use that particular MAC, it isn’t allowed to connect. In truth, this type of implementation turns out to be a bit of a pain for the network staff, so most people don’t use it that way. In most cases, port security simply restricts the number of MAC addresses that can connect to a given port. Suppose your Windows 7 machine runs six virtual machines (VMs) for testing, each with its own MAC. As long as your port security allows for at least seven MACs on the port, you’re in good shape. Anything less and the port will turn amber, SNMP messages will start firing, and you’ll be left out in the cold—or a network admin will come pay you a visit.

For example, suppose “Good Machine,” with MAC address 0A-0B-0C-AA-BB-CC, is on port 2. The switch has learned any frame addressed for that MAC should go to port 2 and no other. The attacker attaches “Bad Machine” to port 3 and wants to see all packets Good Machine is receiving. The attacker uses an application (such as Packet Generator from SourceForge) to create multiple frames with the source address of 0A-0B-0C-AA-BB-CC and send them off (it doesn’t really matter where). The switch notices that the MAC address of Good Machine, formerly on port 2, seems to have moved to port 3, and update s its CAM table accordingly. So long as this is kept up, the attacker will start receiving all the frames originally intended for Good Machine. Not a bad plan, huh?

Another sniffing method you may see on your exam is STP attacks. In an STP attack, the bad guy attaches a rogue switch to the network, then changes the operation of the STP protocol by setting the priority of the rogue switch lower than all others. This doesn’t allow them to sniff all traffic, of course, but it does reveal a variety of frames for the attacker to peruse. This attack is really difficult to pull off, and modern switching networks would probably start screaming at the IDS as soon as it’s attempted. Still, there are a few configuration efforts to defend against it, notably enabling BPDU Guard, Loop Guard, Root Guard, and UniDirectional Link Detection (UDLD) on your Cisco switches.

Plenty of other spoofing opportunities are out there for the enterprising young ethical hacker. Ever heard of IRDP spoofing? It’s a neat attack where the hacker sends spoofed ICMP Router Discovery Protocol messages through the network, advertising whatever gateway they want the system to start routing all messages to. Fun! Another one is DNS poisoning—something introduced way back in Chapter 2—and it can have much the same effect. And if everyone gets their DNS information from a proxy? Well, that’s just all sorts of naughtiness. In short, spoofing may not be the most technical attack in the world, but it sure can bring home the bacon for you.

Snort

One of the most widely deployed IDSs in the world, Snort is an open source IDS that, per its website, “combines the benefits of signature, protocol, and anomaly-based inspection.” It has become the commonly acknowledged standard for IDS and is in use on networks ranging from small businesses to US government enterprise systems. It is a powerful sniffer, traffic-logging, and protocol-analyzing tool that can detect buffer overflows, port scans, operating system fingerprinting, and almost every conceivable external attack or probe you can imagine. Its rule sets (signature files) are updated constantly, and support is easy to find.

Snort runs in three different modes. Sniffer mode is exactly what it sounds like: it lets you watch packets in real time as they come across your network tap. Packet Logger mode saves packets to disk for review at a later time. NIDS mode analyzes network traffic against various rule sets you choose, depending on your network’s situation, and can perform a variety of actions based on what you’ve told it to do.

Snort isn’t completely intuitive to set up and use, but it isn’t the hardest tool on the planet to master, either. That said, as much as I know you’d probably love to learn all the nuances and command-line steps on how to set up and configure Snort completely, this book is about the ethical hacker and not the network security manager. I’m charged with giving you the knowledge you’ll need to pass the exam, so I’ll concentrate on the rules and the output. If you’re really interested in all the configuration minutiae, I suggest grabbing the user manual as a start. It’s an easy read and goes into a lot of things I simply don’t have the time or page count to do here.

The Snort “engine,” the application that actually watches the traffic, relies on the rule sets an administrator decides to turn on. For example, an administrator may want to be alerted on all FTP, Telnet, and CGI attack attempts but not care about denial-of-service attempts against the network. The engine running on that network is the same as the one running on the government enterprise down the street that’s watching everything. The rule sets you select and put in place are what make the difference.

The Snort configuration file resides in /etc/snort on Unix/Linux and in c:\snort\etc\ on most Windows installations. The configuration file is used to launch Snort and contains a list of which rule sets to engage at startup. To start Snort, you can use a command like the following:

snort -l c:\snort\log\ -c c:\snort\etc\snort.conf

Basically, this says, “Snort application, I’d like you to start logging to the directory c:\snort\log\. I’d also like you to go ahead and start monitoring traffic using the rule sets I’ve defined in your configuration file, located in c:\snort\etc.”

The configuration file isn’t all that difficult to figure out either. It holds several variables that need to be set to define your own network situation. For example, the variable HOME_NET defines the subnet local to you. On my home network, I would define the variable in the file to read as follows:

var HOME_NET 192.168.1.0/24

Other variables I could set are displayed in the overly simplified snort.conf file shown next. In this instance, I want to watch out for SQL attacks, but because I’m not hosting any web servers, I don’t want to waste time watching out for HTTP attacks:

var HOME_NET 192.168.1.0/24
* Sets home network
var EXTERNAL_NET any
* Sets external network to any
var SQL_SERVERS $HOME_NET
* Tells Snort to watch out for SQL attacks on any device in the network defined
* as HOME.
var RULE_PATH c:\etc\snort\rules
* Tells Snort where to find the rule sets.
include $RULE_PATH/telnet.rules
* Tells Snort to compare packets to the rule set named telnet.rules and alert on
* anything it finds.

If I were hosting websites, I’d turn that function on in the config file by using the following entry:

var HTTP_SERVERS

SMTP_SERVERS, SQL_SERVERS, and DNS_SERVERS are also entries I could add, for obvious reasons. To include a particular rule set, simply add the following line:

include $RULE_PATH/name_of_rule

Speaking of rule sets, there are loads of them. The rules for Snort can be downloaded from the Snort site at any time in a giant .zip (.tar) file. The rules are updated constantly, so good administrators will pull down fresh copies often. Because the rules are separate from the configuration, all you have to do to update your signature files is to drop the new copy in the directory holding the old copy. One quick overwrite (and usually a stop/start of services) is all that’s needed. If you’re looking for some help in managing signature updates and such, Oinkmaster is the standard for it.

A rule itself is fairly simple. It must be a single line and is composed of a header and options. Each rule contains an action, a protocol, the rule format direction (which could be bi-directional), a source address/port, a destination address/port, and message parameters. The Snort rule action can be Alert (in a variety of configured methods, alert when the condition is met), Log (simply make a note when the condition is met), or Pass (ignore the packet). For example, consider the following rule:

alert tcp !HOME_NET any -> $HOME_NET 31337 (msg :"BACKDOOR
ATTEMPT-Backorifice")

This rule tells Snort, “If you happen to come across a packet from any address that is not my home network, using any source port, intended for an address within my home network on port 31337, alert me with the message ‘BACKDOOR ATTEMPT-Backorifice.’” Other options you can add to the message section include flags (indicating specific TCP flags to look for), content (indicating a specific string in the packet’s data payload), and specialized handling features. For example, consider this rule:

alert tcp !$HOME_NET any -> $HOME_NET 23 (msg:"Telnet attempt..admin access";
content: "admin")

Here’s the meaning: “Please alert on any packet from an address not in my home network and using any source port number, intended for any address that is within my home network on port 23, including the ASCII string ‘admin.’ Please write ‘Telnet attempt..admin access’ to the log.” As you can see, although it looks complicated, it’s really not that hard to understand. And that’s good news, because you’ll definitely get asked about rules on the CEH exam.

Lastly on Snort, you’ll also need to know how to read the output. GUI overlays are ridiculously easy, so I’m not even going to bother here—you purchased this book, so I’m relatively certain you can read already. Command-line output, though, requires a little snooping around. A typical output is listed here (bold added for emphasis):

02/07-11:23:13.014491 0:10:2:AC:1D:C4 -> 0:2:B3:5B:57:A6 type:0x800 len:0x3C
200.225.1.56:1244 -> 129.156.22.15:443 TCP TTL:128 TOS:0x0 ID:17536 IpLen:20 DgmLen:48 DF
******S* Seq: 0xA153BD Ack: 0x0 Win: 0x2000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
0x0000: 00 02 B3 87 84 25 00 10 5A 01 0D 5B 08 00 45 00 .....%..Z..[..E.
0x0010: 00 30 98 43 40 00 80 06 DE EC C0 A8 01 04 C0 A8 .0.C@...........
0x0020: 01 43 04 DC 01 BB 00 A1 8B BD 00 00 00 00 70 02 .C............p.
0x0030: 20 00 4C 92 00 00 02 04 05 B4 01 01 04 02 .L...........

I know, it looks scary, but don’t fret—this is simple enough. The first portion of the line indicates the date stamp at 11:23 on February 7. The next entry shows the source and destination MAC addresses of the frame (in this case, the source is 0:10:2:AC:1D:C4 and the destination is 0:2:B3:5B:57:A6). The Ethernet frame type and length are next, followed by the source and destination IPs, along with the associated port numbers. This frame, for example, was sent by 200.225.1.56, with source port 1244, destined for 129.156.22.15 on port 443 (can you say “SSL connection attempt”?). The portion reading ******S* indicates that the SYN flag was set in this packet, and the sequence and acknowledgment numbers follow. The payload is displayed in hex digits below everything.

Do you need to remember all this for your exam? Of course you do. The good news is, though, most of the time you can figure out what’s going on by knowing where to find the port numbers and source/destination portions of the output. I bolded them in the preceding code listing for emphasis. I guarantee you’ll see output like this on your exam, so be ready to answer questions about it.

Firewall

While we’re on the subject of sniffing (and other attack) roadblocks, I can’t ignore the one everyone has already heard of—the firewall. If you’ve watched a Hollywood movie having anything whatsoever to do with technology, you’ve heard mention of firewalls. If you’re like me, you cringe every time they bring it up. Script writers must believe that a firewall is some kind of living, breathing entity that has the capability to automatically sense what the bad guys are doing, and that anything that makes it past the firewall is free and clear. A firewall isn’t the end-all of security; it’s just one tool in the arsenal.

A firewall is an appliance within a network that is designed to protect internal resources from unauthorized external access. Firewalls work with a set of rules that explicitly state what is allowed to pass from one side of the firewall to the other. Additionally, most firewalls work with an implicit deny principle, which means there is no need to create a rule to deny packets—if there is not a rule defined to allow the packet to pass, it is blocked. For example, there may be a rule saying port 80 is allowed to pass from external to internal, but if there is not a rule saying port 443 is allowed, SSL requests to internal resources will automatically be denied.

Another interesting point on most firewalls is that the list of rules that determine traffic behavior is usually read in order, from top to bottom. As soon as a match is made, the firewall decides whether to pass the packet. For example, an access control list (ACL) that starts out with an entry of allow ip any any would make the firewall moot—every IP packet will be allowed to pass, because the match is made on the first entry. Most firewalls are configured with rule sets to allow common traffic, such as port 80 if you’re hosting web servers and port 53 for DNS lookups, and then rely on implicit deny to protect the rest of the network.

Many firewalls (just like routers) also implement network address translation (NAT) at the border. Basic NAT is a one-to-one mapping, where each internal private IP address is mapped to a unique public address. As the message leaves the network, the packet is changed to use the public IP, and when it is answered and routed back through the Internet to the firewall (or external router), NAT matches it back to the single corresponding internal address and sends it along its way. For example, a packet leaving 172.16.1.72 would be changed to 200.57.8.212 for its journey across the Internet. Although the rest of the world will see IP addresses in your public range, the true senders of the data packets are internal and use an address from any of the private network classes (192.168.0.0, 172.16–31.0.0, or 10.0.0.0).

NAT can be implemented in many different ways, however, and in the real world, most organizations and individuals don’t implement a one-to-one mapping; it’s simply too expensive. A more common method is NAT overload, better known as port address translation. This method takes advantage of the port numbers (and other items) unique to each web conversation to allow many internal addresses to use one external address. Although we could start an entire conversation here on how this works and what to watch for, I’m simply mentioning it so you won’t be caught off guard by it should you see it on the exam.

Much like IDSs, the placement of firewalls is important. In general, a firewall is placed on the edge of a network, with one port facing outward, at least one port facing inward, and another port facing toward a DMZ (as you’ll recall from Chapter 2, that’s an area of the network set aside for servers and other resources to which the outside world will need access). Some networks will apply additional firewalls throughout the enterprise to segment for various reasons.

Originally, firewalls were all packet-filtering firewalls. They basically looked at the headers of packets coming through a port and decided whether to allow them based on the ACLs configured. Although this does provide the ability to block specific protocols, the major drawback of using packet filtering alone is twofold: it is incapable of examining the packet’s payload, and it has no means to identify the state of the packet. This problem gave rise to stateful inspection firewalls, which gave firewalls the means to track the entire status of a connection. For instance, if a packet arrives with the ACK flag set but the firewall has no record of the original SYN packet, that would indicate a malicious attempt. These may also be referred to as stateful multilayer inspection firewalls, with the capability from the Network layer up to the Application layer (although their focus is in Layers 3 and 4).

Two other firewall types of note are circuit-level gateway and application-level firewalls. A circuit-level gateway firewall works at the Session layer and allows or prevents data streams—it’s not necessarily concerned with each packet. An application-level firewall filters traffic much like a proxy, allowing specific applications (services) in and out of the network based on its rule set.

Firewall Evasion

Knowing what a firewall is, where and how it’s most likely to be used in the network, and how it works (via ACLs and/or stateful inspection) is only part of the battle. What you really need to know now is how to identify where the firewall is from the outside (in the middle of your footprinting and attack) and how to get around it once you find it. Identifying a firewall location doesn’t require rocket-scientist brainpower, because no one really even bothers to hide the presence of a firewall. As covered earlier, a simple traceroute can show you where the firewall is (returning splats to let you know it has timed out). If you’re using your sniffer and can look into the packets a little, an ICMP Type 3 Code 13 will show that the traffic is being stopped (filtered) by a firewall (or router). An ICMP Type 3 Code 3 will tell you the client itself has the port closed. A tool called Firewall Informer, and others like it, can help in figuring out where the firewall is. Lastly, banner grabbing—which we covered in the previous chapter—also provides an easy firewall-identification method.

Once you find the firewall (easy), it’s now time to find out ways to get through or around it (not so easy). Your first step is to peck away at the firewall to identify which ports and protocols it is letting through and which ones it has blocked (filtered). This process of “walking” through every port against a firewall to determine what is open is known as firewalking. Tons of tools are available for this—nmap, other footprinting tools, even a tool called Firewalk (from PacketStorm). Whether you set up an nmap scan and document the ports yourself or use a program that does it for you, the idea is the same: find a port the firewall will allow through, and start your attack there. Just keep in mind that this is generally a noisy attack and you will, most likely, get caught.

Of course, the best method available is to have a compromised machine on the inside initiate all communication for you. Usually firewalls—whether stateful or packet filtering—don’t bother looking at packets with internal source addresses leaving the network. So, for example, suppose you e-mail some code to a user and have them install it (go ahead, they will… trust me). The system on the inside could then initiate all communications for your hacking efforts from the outside, and you’ve found your ticket to ride.

When it comes to the actual applications you can use for the task, packet-crafting and packet-generating tools are the ones you’ll most likely come across in your career for evading firewalls and IDSs. However, there are a couple of tools specifically designed for the task. PackETH is a Linux tool from SourceForge that’s designed to create Ethernet packets for “security testing.” Another SourceForge product is Packet Generator, which allows you to create test runs of various packet streams to demonstrate a particular sequence of packets. Netscan also provides a packet generator in its tool conglomeration. All of these allow you to control the fields in frame and packet headers and, in some cases, interject payload information to test the entirety of the security platform. Not bad, huh?

Honeypots

Our final network roadblock isn’t really designed to stop you at all. Quite the contrary: this one is designed to invite you in and make you comfortable. It provides you with a feeling of peace and tranquility, consistently boosting your ego with little successes along the way—and, like a long-lost relative, encourages you to stay for a while.

A honeypot is a system set up as a decoy to entice attackers. The idea is to load it up with fake goodies, with not-too-easy vulnerabilities a hacker may exploit. An attacker, desperately looking for something to report as a success, stumbles upon your honeypot and spends all their time and effort there, leaving your real network and resources alone.

While it sounds like a great idea, a honeypot isn’t without its own dangers. By design a honeypot will be hacked, so this brings up two very important points. First, nothing on a honeypot system is to be trusted. Anything that has that many successful attacks against it could be riddled with loads of stuff you don’t even know about yet. Don’t put information or resources on the honeypot that could prove useful to an attacker, and don’t trust anything you pull off it. Granted, the information and resources have to look legitimate; just make sure they’re not.

Second, the location of the honeypot is of utmost importance. You want this to be seen by the outside world, so you could place it outside the firewall. However, is that really going to fool anyone? Do you really believe a seasoned attacker is just going to accept that an administrator has protected everything on the network behind a firewall, but just forgot this really important server on the outside? A better, more realistic placement is inside the DMZ. A hacker will discover pretty quickly where the firewall is, and placing a hard-to-find port backdoor to your honeypot there is just the ticket to draw them in. Wherever you wind up locating the honeypot, wall it off to prevent it becoming a launching pad for further attacks.

There are four types of honeypots: high, medium and low interaction, and “pure”:

High-interaction

A high-interaction honeypot simulates all services and applications and is designed to be completely compromised. Examples include Symantec, Decoy Server, and Honeynets.

Medium-interaction

A medium-interaction honeypot simulates a real operating system and several applications and services.

Low-interaction

A low-interaction honeypot simulates a limited number of services and cannot be compromised completely (by design). Examples include Specter, Honeyd, and KFSensor. Of course, in the real world, almost no one has the time, interest, or concern to install and maintain a honeypot.

“Pure”

A “pure” honeypot emulates the actual production network of the organization. Most real hackers know they’re in one pretty quickly, and the payoff (that is, getting anything substantially useful out of it) is often nothing. But it is testable material, so learn what you must.

Finally, I can’t leave the topic of honeypots without covering an important piece of information any attacker – ethical or not – would need to know: just how can you detect a honeypot’s presence? I mean, after all, if you’re an attacker and you know the potential for a honeypot sitting somewhere on your target network is high, it would be great to avoid it. So what techniques can you employ to discover and avoid honeypots on your networks?

One quick approach involves using the same methods you’d employ to enumerate a device. First, you send probe packets to the device to identify services running. Once you identify these services, attempt a simple three-way handshake on each of them to identify which are “live.” If the box shows multiple services running, but none of them completes the handshake, there’s a very high probability you’ve found a honeypot.

Other methods can run from the relatively simple to the really complex. For a simple example, watch the MAC addresses sent back and forth to learn from them which is a honeypot; IEEE regulates MAC addresses, so mapping what you see against potential known virtual machines may indicate a honeypot. For one that’s a bit more complex, you might check systems for the presence of the honeyd daemon. Honeyd is an application that allows the owner to set up and run multiple virtual hosts on the computer, and is often used in honeypot creation. You can employ something called time-based TCP fingerprinting (using latency and time in TCP responses to fingerprint the device) to discover the presence of honeyd.

You need to also be familiar with the term tar pits. These are security entities on the network designed to slow attackers down by responding very slowly to incoming requests. Tar pits are categorized by the OSI layer in which they operate. You can discover them by tracking latency of response, examining window sizes within TCP responses, and watching MAC addresses for “black hole” entries (MAC addresses designed to send responses to a “black hole”, such as 0:0:f:ff:ff:ff) or addresses resolving to known VMWare systems.